turbot/alicloud

steampipe plugin install alicloudsteampipe plugin install alicloud

Table: alicloud_ram_credential_report

Retrieves a credential report for the Alibaba Cloud account. For more information about the credential report, see Generate and download user credential reports in the RAM Guide.

Please note: This table requires a valid credential report to exist. To generate it, please run the follow Aliyun CLI command:

aliyun ims GenerateCredentialReport --endpoint ims.aliyuncs.com

Examples

List users that have logged into the console in the past 90 days

select
user_name,
user_last_logon
from
alicloud_ram_credential_report
where
password_exist
and password_active
and user_last_logon > (current_date - interval '90' day);

List users that have NOT logged into the console in the past 90 days

select
user_name,
user_last_logon,
age(user_last_logon)
from
alicloud_ram_credential_report
where
password_exist
and password_active
and user_last_logon <= (current_date - interval '90' day)
order by
user_last_logon;

List users with console access that have never logged in to the console

select
user_name
from
alicloud_ram_credential_report
where
password_exist
and user_last_logon is null;

Find access keys older than 90 days

select
user_name,
access_key_1_last_rotated,
age(access_key_1_last_rotated) as access_key_1_age,
access_key_2_last_rotated,
age(access_key_2_last_rotated) as access_key_2_age
from
alicloud_ram_credential_report
where
access_key_1_last_rotated <= (current_date - interval '90' day)
or access_key_2_last_rotated <= (current_date - interval '90' day)
order by
user_name;

Find users that have a console password but do not have MFA enabled

select
user_name,
mfa_active,
password_exist,
password_active
from
alicloud_ram_credential_report
where
password_exist
and password_active
and not mfa_active;

Check if root login has MFA enabled

select
user_name,
mfa_active
from
alicloud_ram_credential_report
where
user_name = '<root>';

.inspect alicloud_ram_credential_report

Alicloud RAM Credential Report

NameTypeDescription
access_key_1_activebooleanIndicates whether the user access key is active, or not.
access_key_1_existbooleanIndicates whether the user have access key, or not.
access_key_1_last_rotatedtimestamp without time zoneSpecifies the time when the access key has been rotated.
access_key_1_last_usedtimestamp without time zoneSpecifies the time when the access key was most recently used to sign an Alicloud API request.
access_key_2_activebooleanIndicates whether the user access key is active, or not.
access_key_2_existbooleanIndicates whether the user have access key, or not.
access_key_2_last_rotatedtimestamp without time zoneSpecifies the time when the access key has been rotated.
access_key_2_last_usedtimestamp without time zoneSpecifies the time when the access key was most recently used to sign an Alicloud API request.
account_idtextThe Alicloud Account ID in which the resource is located.
additional_access_key_1_activebooleanIndicates whether the user access key is active, or not.
additional_access_key_1_existbooleanIndicates whether the user have access key, or not.
additional_access_key_1_last_rotatedtimestamp without time zoneSpecifies the time when the access key has been rotated.
additional_access_key_1_last_usedtimestamp without time zoneSpecifies the time when the access key was most recently used to sign an Alicloud API request.
additional_access_key_2_activebooleanIndicates whether the user access key is active, or not.
additional_access_key_2_existbooleanIndicates whether the user have access key, or not.
additional_access_key_2_last_rotatedtimestamp without time zoneSpecifies the time when the access key has been rotated.
additional_access_key_2_last_usedtimestamp without time zoneSpecifies the time when the access key was most recently used to sign an Alicloud API request.
additional_access_key_3_activebooleanIndicates whether the user access key is active, or not.
additional_access_key_3_existbooleanIndicates whether the user have access key, or not.
additional_access_key_3_last_rotatedtimestamp without time zoneSpecifies the time when the access key has been rotated.
additional_access_key_3_last_usedtimestamp without time zoneSpecifies the time when the access key was most recently used to sign an Alicloud API request.
generated_timetimestamp without time zoneSpecifies the time when the credential report has been generated.
mfa_activebooleanIndicates whether multi-factor authentication (MFA) device has been enabled for the user.
password_activebooleanIndicates whether the password is active, or not.
password_existbooleanIndicates whether the user have any password for logging in, or not.
password_last_changedtimestamp without time zoneSpecifies the time when the password has been updated.
password_next_rotationtimestamp without time zoneSpecifies the time when the password will be rotated.
user_creation_timetimestamp without time zoneSpecifies the time when the user is created.
user_last_logontimestamp without time zoneSpecifies the time when the user last logged in to the console.
user_nametextThe email of the RAM user.